b"     THE FEDERAL BUREAU OF\nINVESTIGATION\xe2\x80\x99S IMPLEMENTATION\nOF THE LABORATORY INFORMATION\n      MANAGEMENT SYSTEM\n\n        U.S. Department of Justice\n      Office of the Inspector General\n               Audit Division\n\n           Audit Report 06-33\n               June 2006\n\x0cTHE FEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S IMPLEMENTATION\n OF THE LABORATORY INFORMATION MANAGEMENT SYSTEM\n\n\n                       EXECUTIVE SUMMARY\n\n       The Federal Bureau of Investigation\xe2\x80\x99s (FBI) laboratory is one of\nthe largest and most comprehensive forensic laboratories in the world.\nThe laboratory, which conducts over one million examinations of\nphysical evidence annually, supports FBI investigations and provides\nforensic and technical services to other federal, state, and local law\nenforcement agencies. The FBI manages the flow of evidence through\nthe laboratory in a largely paper-based process, with a limited \xe2\x80\x9cin-and-\nout\xe2\x80\x9d database that shows when an item enters the laboratory for\ntesting, when analyses are performed, and when the item leaves the\nlaboratory. However, the FBI cannot readily determine where the\nevidence is during the examination process and what work remains to\nbe completed. The FBI also does not have the capability to generate\nstatistical reports to help manage laboratory operations, such as how\nlong it takes to examine evidence or where delays might occur.\n\n      To provide a modern information system that would allow the\nFBI to better track and manage evidence as it passes through the\nlaboratory, the FBI\xe2\x80\x99s Laboratory Division awarded a $1.6 million\ncontract, with 4 additional option years for a total of $4.3 million, to\nJusticeTrax, Inc. in September 2003. The contract was to provide the\nFBI with JusticeTrax\xe2\x80\x99s commercial off-the-shelf (COTS) Laboratory\nInformation Management System (LIMS). 1 The JusticeTrax LIMS was\nintended to allow the tracing and tracking of evidence using bar-code\ntechnology and provide a variety of reporting capabilities.\n\n       However, after many delays and extensive customization of the\nCOTS LIMS, the system was unable to meet the FBI\xe2\x80\x99s security\nrequirements. In January 2006, the FBI notified JusticeTrax that the\nFBI had terminated the LIMS contract. In March 2006, the FBI and\nJusticeTrax agreed to a settlement that terminated the LIMS contract,\nresulting in an overall loss to the FBI of $1,175,015.\n\n\n      1\n         The JusticeTrax product is known as LIMS-plus, but we refer to the system\nas LIMS throughout this report.\n\n                                       -i-\n\x0c      The OIG performed this audit to determine the status of the\nLIMS project, assess the Information Technology Investment\nManagement (ITIM) processes and other management controls over\nthe project, and determine the overall project costs. We found that\nthe LIMS project was poorly managed. In addition, JusticeTrax was\nunable to meet the FBI\xe2\x80\x99s more rigorous requirements implemented as\na result of information technology (IT) system security breaches. With\nLIMS not able to obtain security certification and accreditation, coupled\nwith other disadvantages such as the delayed implementation of a\nweb-browser interface, the FBI terminated the contract. Although the\nFBI has now improved ITIM processes through its Life Cycle\nManagement Directive (LCMD) and has established other improved\ncontrols, the failure of the system results in the FBI laboratory\ncontinuing to operate without an effective information system to\nadequately trace the flow of evidence through the laboratory.\n\nBackground\n\n      To track evidence arriving and leaving the laboratory, the FBI\ncontinues to use the Evidence Control System (ECS) that was created\nin 1978 and converted into a database in 1998. The FBI uses the ECS\nto record when an item of evidence is received by the laboratory for\nanalysis, when analyses are performed, and when the item is released\nby the laboratory back to its originator. In comparison to the ECS\xe2\x80\x99s\nlimited database, a modern laboratory information system can provide\na much greater level of functionality, including: the ability to trace\nevidence throughout the analysis process; Internet capabilities that\nallow external agencies to review and request information about\nevidence they have submitted; extensive reporting, workload analysis,\nand responses to ad-hoc querying; and data searching regarding the\ndisposition of evidence.\n\nFBI\xe2\x80\x99s LIMS Project\n\n       In 1998, the FBI\xe2\x80\x99s Laboratory Division hired a contractor to\ndevelop requirements for a more functional information system.\nHowever, the implementation of such a system was not fully funded\nuntil the Laboratory Division reprogrammed money from its own\nprojects to fund the development in 2002. By this time, the system\nrequirements needed to be upgraded. In February 2003, the FBI\nissued a Request for Proposal (RFP) for a laboratory information\nmanagement system.\n\n                                  - ii -\n\x0c      The FBI received six responses to the RFP. Cost and technical\ncommittees comprised of personnel from the FBI\xe2\x80\x99s Finance and\nLaboratory Divisions evaluated the proposals. In September 2003, the\nFBI awarded JusticeTrax, Inc., of Mesa, Arizona, a $4.3 million firm-\nfixed-price contract to provide its LIMS product to the FBI. 2 The FBI\nselected JusticeTrax because it submitted the lowest cost bid and had\nan exceptional technical evaluation. According to JusticeTrax\xe2\x80\x99s\nproposed project plan, LIMS installation, training, and roll-out would\nbe completed in December 2003, 90 days from the contract award.\n\nSchedule Delays\n\n       Although JusticeTrax planned to install the LIMS software within\n90 days of the September 2003 contract award, a number of problems\narose: (1) JusticeTrax\xe2\x80\x99s president was a foreign national and thus not\neligible to be involved in the development of the software for the FBI;\n(2) all JusticeTrax personnel lacked security clearances; and\n(3) although extensive software customization was required to meet\nFBI requirements, the LIMS used an outdated programming language\nthat made modifying the software difficult and time-consuming.\n\n      The RFP for the information system stated that non-U.S. citizens\nmay not have access to or be involved in the development of any\nDepartment of Justice IT system. By signing the contract or\ncommitment document, the contractor agreed to this condition, even\nthough the JusticeTrax president was not a U.S. citizen. However,\nafter a security assessment, the FBI determined the risk was low and\ndecided to continue with JusticeTrax. In April 2004, the JusticeTrax\npresident signed a non-disclosure agreement to not access or assist in\nthe development, operation, management, or maintenance of the FBI\xe2\x80\x99s\nLIMS. In September 2004, 1 year after the contract was signed, the\nJusticeTrax president became a U.S. citizen and the non-disclosure\nagreement was rescinded.\n\n      Another obstacle to the timely implementation of the LIMS\nsystem was the lack of security clearances for JusticeTrax employees.\nThe background investigations to obtain security clearances took from\n3 to 8 months.\n       2\n         The contract included a base year award of $1.6 million and four additional\n1-year option contracts. The base year was September 2003 to September 2004.\nThe contract also included cost-reimbursable delivery orders to convert the legacy\nECS data to the new LIMS-plus system.\n\n                                       - iii -\n\x0c      The third problem was the FBI\xe2\x80\x99s numerous customization\nrequests to tailor LIMS to the FBI\xe2\x80\x99s specific needs. The customization\nwas a slow process because the JusticeTrax LIMS relies on an aging\ncode format, Visual FoxPro. 3 While Visual FoxPro is outdated, it is still\ncompatible with today\xe2\x80\x99s technology. However, according to FBI\npersonnel, Visual FoxPro is difficult and slow to customize compared to\nnewer programming languages. While the extent of customization was\nthe main obstacle, having to use the old code increased the delays.\n\nFBI\xe2\x80\x99s Project Controls\n\n      The FBI had no management control structure in place for LIMS\nsuch as establishing firm cost, schedule, technical, and performance\nbenchmarks. The FBI also did not have a specific IT project manager\nfor the LIMS project. Instead, the FBI relied on two contracting\npersonnel to oversee the project as part of their contract-related\nduties. However, about 4 months after the FBI awarded the LIMS\ncontract, there was turnover in these two key positions.\n\n       The FBI awarded the LIMS contract prior to the development and\nimplementation of the FBI\xe2\x80\x99s Life Cycle Management Directive.\nHowever, upon the LCMD\xe2\x80\x99s implementation in November 2004, the FBI\nrequired all IT projects to follow the LCMD and meet the requirements\nfor the stage of development the project had achieved. In May 2005,\nover a year after the LIMS was to be implemented, the FBI\xe2\x80\x99s\nInformation Management Project Review Board (IMPRB), one of the\nFBI\xe2\x80\x99s IT investment boards, reviewed the LIMS project. During this\nreview, Laboratory officials explained that although there were delays\nin implementing LIMS, the system could function and JusticeTrax had\ncompleted training the system\xe2\x80\x99s users. However, LIMS had not yet\nachieved all of the FBI\xe2\x80\x99s requirements, such as being a web-based\nsystem, and it was unlikely that the project would pass the FBI\xe2\x80\x99s\ncertification and accreditation (C&A) testing to ensure the security of\nthe system. FBI officials agreed that if the project could not pass C&A,\nthen the project should be cancelled. An IMPRB member\nrecommended that a Red Team be assembled to review the\nprocurement and consider alternatives. 4\n\n\n      3\n        Visual FoxPro, first developed by Fox Software in 1984, is a programming\nlanguage used to develop database applications.\n      4\n         Red Teams review and advise on FBI IT projects that miss cost, schedule,\nor performance thresholds.\n                                      - iv -\n\x0c       The Red Team included members from the FBI\xe2\x80\x99s Laboratory\nDivision, Office of General Counsel, Office of the Chief Information\nOfficer (CIO), Finance Division, and ITOD. The Red Team review\nbegan in July 2005, and the team presented its findings, conclusions,\nand recommendations to the FBI\xe2\x80\x99s CIO in October 2005. The Red\nTeam recommended terminating the JusticeTrax contract because the\nLIMS system could not pass C&A, and additional work would not rectify\nthe security weaknesses. In addition to the lack of a web-browser\ninterface, identified deficiencies included several security\nvulnerabilities related to the lack of auditable records, insecure\ntransmission between client and server, and a technical architecture\nthat did not meet chain-of-custody requirements. In lieu of LIMS, the\nRed Team suggested the FBI use a standard COTS workflow software\npackage already licensed to the FBI.\n\n      The FBI\xe2\x80\x99s CIO stated the LIMS contract was awarded before the\nFBI\xe2\x80\x99s IT investment management controls were implemented, and that\nLIMS is an example of the success of the FBI\xe2\x80\x99s new ITIM processes\nbecause the problems with the project were quickly identified for\nresolution based on the IMPRB review.\n\nCertification and Accreditation\n\n       The C&A program is the FBI\xe2\x80\x99s management control for ensuring\nthe adequacy of computer system security. The FBI\xe2\x80\x99s Security Division\ntests the security of all new IT systems and approves the C&A if it\ndeems a system secure. The testing ensures that the FBI\xe2\x80\x99s IT systems\nhave an approved baseline security configuration and that the systems\npresent little or no risk to FBI systems or data. The FBI required the\nC&A process to be completed and approval to operate the system be\nobtained from the Security Division before the LIMS system could be\nmade operational. Although the RFP included the requirement for\nsecurity to be part of the system, specific guidance on the LCMD C&A\nrequirements had yet to be established at the time the contract was\nawarded and was not provided to JusticeTrax until August 2005 when\nthe FBI provided the results of the FBI Security Division\xe2\x80\x99s LIMS\nCertification Test Report to JusticeTrax. The C&A testing delayed and\nthen prevented the implementation of LIMS, and it ultimately led to\nthe termination of the contract.\n\n      In September 2005, the Security Division began system testing,\nwhich resulted in a Certification Test Report identifying 14 security\nvulnerabilities in the LIMS system. In October 2005, the Security\n                                   -v-\n\x0cDivision recommended against accrediting the system based on these\nhigh-risk vulnerabilities, which could not be mitigated due to the\ninherent design of the system. One weakness cited by the Security\nDivision was the inability of LIMS to meet the confidentiality and\nintegrity requirements for protecting evidentiary or grand jury data.\nThe certifier recommended against granting an approval to operate.\nBecause of these critical security flaws, the FBI determined that LIMS\ncould not be used.\n\nContract Termination\n\n      The FBI became aware of delays and deficiencies with\ndeveloping the LIMS system early in the contract period. While the\nLIMS software is functional, it has major deficiencies for FBI use,\nincluding the lack of a web-browser interface and numerous security\nvulnerabilities. Although the FBI and JusticeTrax signed the contract\nin September 2003, with the project to be implemented in 90 days,\ndelays resulted in no-cost extensions through December 2005.\n\n       In December 2004, the FBI issued a Show Cause Notice to\nJusticeTrax stating that it failed to meet the deadline for the initial\nimplementation of the system. 5 JusticeTrax responded that the delays\nresulted from requirements not immediately apparent in the contract\nand that it did not have detailed information regarding the C&A\nprocess and what would be tested. Early in 2005, the FBI issued a\nletter to JusticeTrax stating the results of the initial security review of\nthe LIMS system during the C&A testing process and identifying\nsecurity risks that had to be corrected before further certification\ntesting could proceed.\n\n       In October 2005, the FBI issued a Cure Notice to Justice Trax\nstating that the LIMS system was not able to successfully pass the\nFBI\xe2\x80\x99s Security C&A Testing. 6 In the Cure Notice the FBI identified two\noutstanding concerns, the lack of auditable records (known as\nadministrative shares) and the lack of a fully functional web-browser\ninterface. JusticeTrax tried to resolve the security concerns, including\n\n       5\n          A contracting agency sends a Show Cause Notice to the contractor when\nproblems occur. The notice includes a description of the problems and a timeframe\nfor resolving the problems.\n       6\n         A cure notice specifies to the contractor the problems requiring correction\nand establishes a timeframe for doing so.\n\n                                        - vi -\n\x0cthe lack of auditable records, but the FBI\xe2\x80\x99s Security Division found that\nthe actions taken did not adequately resolve the concerns. JusticeTrax\nintended to work on the web-browser interface at a later date.\nHowever, in its response to the RFP, JusticeTrax had committed to\nproviding the web-browser interface by early 2004.\n\n      At the end of October 2005, the FBI issued a Stop-work Order to\nJusticeTrax, and in January 2006 issued a contract termination letter. 7\nIn March 2006, the FBI and JusticeTrax agreed to terminate the\ncontract for the convenience of the government. The FBI agreed to\npay JusticeTrax an additional $523,932, and the contractor waived any\nclaims arising from the contract.\n\n      In addition to considering other COTS workflow management\nsystems to meet its information management needs, we recommend\nthat the FBI consider systems being developed by other Department of\nJustice components. For example, we found that the Drug\nEnforcement Administration (DEA) and the Bureau of Alcohol, Tobacco,\nFirearms and Explosives (ATF) are both working on laboratory\ninformation systems.\n\nCosts\n\n      The base-year budget beginning September 2003 for the\nJusticeTrax contract was $1.6 million, with a total contract budget of\n$4.3 million including four additional 1-year contract options. Prior to\nthe Red Team\xe2\x80\x99s decision to recommend terminating the LIMS contract,\nthe FBI paid JusticeTrax a total of $856,219. We reviewed and verified\nthat all expenses were supported by invoices. Consistent with the\ncontract, the FBI Laboratory Division purchased hardware from\nJusticeTrax, including bar-coding equipment, totaling $205,136. The\nequipment purchased can be used within the laboratory separate from\nthe LIMS system.\n\n     In January 2006, the FBI ended the LIMS project, and in March\n2006 the FBI and JusticeTrax agreed to terminate the contract for the\n\n        7\n         According to the Federal Acquisition Regulation, situations may occur during\ncontract performance that cause the government to order a suspension of work, or a\nwork stoppage. A Stop-work Order may be issued in any negotiated fixed-price or\ncost-reimbursement supply, research and development, or service contract due to\nadvancement in the state-of-the-art, production or engineering breakthroughs, or\nrealignment of programs.\n\n                                       - vii -\n\x0cconvenience of the government. The FBI agreed to pay a settlement\nof $523,932 to the company in addition to the money already spent on\ndeveloping the system and obtaining hardware. Therefore, the FBI\nspent a total of $1,380,151 on the project. With only the hardware\nusable, the FBI lost $1,175,015 on the unsuccessful LIMS project.\n\nJusticeTrax\xe2\x80\x99s Observations\n\n       During our fieldwork, we met with JusticeTrax officials to discuss\ntheir perspective on the LIMS contract. In the opinion of the officials,\nthe failure of the LIMS project was due to the FBI\xe2\x80\x99s lack of\ncommunication, information sharing, and resources. Also, JusticeTrax\nsaid the FBI should have provided a champion, or advocate, to ensure\nthe success of the project. Finally, JusticeTrax stated that the FBI held\nJusticeTrax to requirements that were not in the contract. JusticeTrax\nacknowledged the contract included a provision for security but said it\nhad no details about the C&A requirements. We agree with\nJusticeTrax that the FBI did not include specific details in the contract\non how to meet the C&A requirements.\n\nConclusion\n\n       The failure to implement the LIMS system and the resulting loss\nof nearly $1.2 million in the attempt should be attributed to both the\nFBI and JusticeTrax. The project began before the FBI had established\nits ITIM processes, and those subsequent processes helped identify\nproblems with the project that ultimately led to terminating the\ncontract before losing additional money. The FBI did not do its\nhomework before awarding the contract, including adequately\nidentifying and assessing the risks in selecting JusticeTrax when the\ncompany\xe2\x80\x99s COTS LIMS product had to be vastly modified. The FBI had\na responsibility to not only ensure that JusticeTrax understood the\nsystem requirements, but also that JusticeTrax had the technical\ncapacity to fulfill the requirements. The FBI did not adequately\ndocument for JusticeTrax the security requirements for certification\nand accreditation of the LIMS software and, to the extent security\nrequirements evolved, did not clarify those changes through contract\nmodifications.\n\n      The FBI should have assessed the problems and delays inherent\nin requiring major modifications to tailor a COTS system, especially\none based on an outdated code. Firmly managed schedule, cost,\ntechnical, and performance benchmarks would have raised warning\n                                 - viii -\n\x0csigns earlier in the project and perhaps led to resolution much more\nrapidly. Among the FBI\xe2\x80\x99s weaknesses was the lack of established IT\nmanagement processes when the project began and the failure to\ndesignate a LIMS project manager to oversee the implementation of\nthe project. Also, two key contracting positions experienced turnover\nwithin months after the contract award.\n\n      Because JusticeTrax did not provide cleared personnel to work\non the system and its president was not a U.S. citizen, JusticeTrax\ncontributed to the early delays in getting the project started. It was\nincumbent upon JusticeTrax to meet all FBI requirements for the\nsystem, including mandatory security protections and a web-browser\ncapability. However, JusticeTrax is correct in that some requirements\nwere unknown at the start of the project. JusticeTrax\xe2\x80\x99s use of\noutdated code also made modifications difficult and time-consuming.\nJusticeTrax did not properly assess its ability to perform the work\nrequired to adapt its system to operate in the FBI environment. In\naddition, while JusticeTrax intended to make its system web-based,\nthe delays in the project prevented that before the contract was\nterminated.\n\n      Because JusticeTrax was unable to address unacceptable\nsecurity vulnerabilities, the FBI terminated the LIMS contract. The\nFBI\xe2\x80\x99s Laboratory Division continues to lack a modern system to track\nevidence through the laboratory and otherwise manage its laboratory\noperations. It remains difficult to determine the location and status of\nevidence at any given point in time or to determine how long the\nprocess is taking. We believe the FBI should consider adopting a\nCOTS workflow system for its laboratory information system or an\nacceptably secure system used by another federal law enforcement\nentity, such as the Drug Enforcement Administration or Bureau of\nAlcohol, Tobacco, Firearms and Explosives, if it meets the FBI\xe2\x80\x99s needs.\n\n      We agree with FBI officials who stated that the FBI\xe2\x80\x99s LCMD\nshould prevent problems such as those encountered with LIMS if the\nprocesses are applied as intended with detailed requirements for the\ncontracting process, management oversight boards, and other controls\nto ensure troubled projects are identified sooner and remedied.\n\n\n\n\n                                 - ix -\n\x0cOIG Recommendations\n\n       We make three recommendations for the FBI to help ensure the\nFBI\xe2\x80\x99s laboratory meets its need for an information management\nsystem. The recommendations are summarized below.\n\n     \xe2\x80\xa2   Consider whether a COTS workflow system or laboratory\n         information management system currently in use or under\n         development within the federal government will meet the\n         needs of the FBI laboratory.\n\n     \xe2\x80\xa2   Ensure that any future laboratory information management\n         system follows the FBI\xe2\x80\x99s LCMD and is overseen by an\n         experienced IT project manager.\n\n     \xe2\x80\xa2   Establish cost controls to ensure that training or other\n         expenses are not incurred prematurely in the development of\n         a successor to the LIMS project.\n\n\n\n\n                                -x-\n\x0c                              TABLE OF CONTENTS\n\n\n\nINTRODUCTION ....................................................................... 1\n    Background...................................................................... 1\n    Prior Reports ................................................................... 6\n\n\nFINDINGS AND RECOMMENDATIONS........................................ 7\nInadequate Management of the Laboratory Information\n     Management System Project............................................ 7\n       Project Delays .................................................................... 7\n       LCMD Review Board .......................................................... 10\n       Termination of the Project .................................................. 13\n       Laboratory Division\xe2\x80\x99s New Review Process ............................ 14\n       Project Costs .................................................................... 15\n       LIMS Alternatives.............................................................. 16\n       Conclusion ....................................................................... 17\n       Recommendations............................................................. 19\n\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND\n    REGULATIONS................................................................ 20\nSTATEMENT ON INTERNAL CONTROLS.................................... 21\nAPPENDIX 1: OBJECTIVES, SCOPE, AND METHODOLOGY ....... 22\nAPPENDIX 2: ACRONYMS....................................................... 23\nAPPENDIX 3: PRIOR REPORTS ON THE FBI\xe2\x80\x99S INFORMATION\n    TECHNOLOGY ................................................................. 24\nAPPENDIX 4: THE FBI\xe2\x80\x99S LIFE CYCLE MANAGEMENT\n    DIRECTIVE..................................................................... 29\nAPPENDIX 5: THE FBI\xe2\x80\x99s RESPONSE TO THE DRAFT REPORT ... 33\nAPPENDIX 6: OFFICE OF THE INSPECTOR GENERAL\n    ANALYSIS AND SUMMARY OF ACTIONS\n    NESSESARY TO CLOSE REPORT ...................................... 40\n\x0c                           INTRODUCTION\n\nBackground\n\n      The collection, preservation, and forensic analysis of physical\nevidence are often crucial to the successful investigation and\nprosecution of crimes. The Federal Bureau of Investigation\xe2\x80\x99s (FBI)\nlaboratory, located in Quantico, Virginia, is one of the largest and most\ncomprehensive forensic laboratories in the world. The laboratory not\nonly supports FBI investigations, but also provides forensic and\ntechnical services to federal, state, local, and foreign law enforcement\nagencies. The FBI\xe2\x80\x99s laboratory annually conducts over one million\nexaminations involving analyses of physical evidence ranging from\nblood and other biological materials to explosives, drugs, and firearms.\nLaboratory examiners also provide expert witness testimony on the\nresults of forensic examinations.\n\n      To keep a record of evidence provided to the laboratory for\nanalysis, the FBI uses the Evidence Control System (ECS), created in\n1978. The Laboratory Division converted this antiquated system to a\ndatabase in 1998, but the ECS still has limited functionality. One FBI\nprogrammer developed the current version of ECS, and as new\nreleases of database software become available, the database has\nbeen upgraded. The FBI currently uses Microsoft\xe2\x80\x99s Access 2002 as the\nECS database software.\n\n      The ECS system represents an \xe2\x80\x9cin and out\xe2\x80\x9d tracking system.\nEvidence is entered into the system when it arrives at the laboratory,\nand the system documents: (1) the control number for the evidence,\n(2) when an analysis has been performed on the evidence, and\n(3) when the evidence leaves the laboratory. Except for this\ninformation in the ECS, the laboratory relies completely on paper\ndocumentation that follows a piece of evidence as it passes through\nthe laboratory\xe2\x80\x99s various sections. Each section of the laboratory enters\ndata into its own computers. However, these files are immediately\nprinted out and paper copies, rather than an electronic file, are relied\non to track the evidence and the work performed. In addition, the\ndata entered into a section\xe2\x80\x99s individual computers are not linked to\nprovide an overall management view of where the evidence is located,\nwhat analyses have been completed, or how long each step of the\nprocess is taking.\n\n\n\n                                  - 1-\n\x0c      One laboratory official described the current system as very\nlimited, and stated that when evidence is returned to the originator, its\ndeparture from the laboratory is not always entered into the ECS. As\na result, FBI managers are unable to identify with certainty the\nevidence contained in the laboratory at any point in time or its\nprogress in being examined and analyzed. Moreover, another\nlaboratory official stated that only one person is familiar with the ECS\ndatabase, a programmer from the FBI\xe2\x80\x99s Information Technology\nOperations Division (ITOD). The laboratory employee who created the\noriginal system has retired. The official also pointed out that despite\navailable technology, the FBI continues to use a labor-intensive\nmanual system. Each laboratory unit enters the same routine\ninformation, such as case number, date collected, and the submitting\nagency, for each item of evidence as it is passes from one unit to\nanother for continued processing.\n\n      In comparison to the laboratory\xe2\x80\x99s limited database, modern\ncommercial-off-the-shelf (COTS) laboratory information systems can\nprovide many useful functions, including: the ability to track evidence\nthroughout the analysis process; Internet capabilities that allow\nexternal agencies to review and request information about evidence\nthey have submitted; extensive reporting, workload analysis, and\nresponses to ad-hoc querying; on-line help; and data searching.\n\nPre-acquisition Activities\n\n      The FBI\xe2\x80\x99s laboratory hired a contractor in 1998 to assist in the\ndevelopment of requirements for an information management system\nto replace the ECS. The contractor also evaluated COTS systems.\nHowever, the FBI\xe2\x80\x99s Laboratory Division was unable to fund the project\nat that time.\n\n       In 2002, the Laboratory Division reprogrammed funds to replace\nthe ECS with a modern information system. The system requirements\ndeveloped by the contractor in 1998 were updated and validated\nthrough Joint Application Development (JAD) sessions. 8 JAD session\nparticipants included FBI personnel from the laboratory and other\ndivisions. A contractor assisted with IT support and administrative\ntasks related to the proposed project, including facilitating and\ndocumenting the JAD sessions. The requirements resulting from the\n\n      8\n         JAD sessions, attended by system users and others interested in developing\ninformation technology (IT) solutions, help evaluate system requirements.\n\n                                       - 2-\n\x0cJAD sessions were then used in developing a Request for Proposal\n(RFP), issued in February 2003 to solicit bids for developing the new\nsystem.\n\n     A firm-fixed-price contract with a base year and four additional\n1-year option contracts was to provide the laboratory with: 9\n\n       \xe2\x80\xa2   a customized COTS information management system;\n\n       \xe2\x80\xa2   bar-code peripheral devices and software, used to label and\n           track evidence as it enters the laboratory;\n\n       \xe2\x80\xa2   training;\n\n       \xe2\x80\xa2   help desk services, maintenance, and operational support;\n           and\n\n       \xe2\x80\xa2   technical enhancements and upgrades to the application\n           software.\n\nThe statement of work explained that the new system would:\n\n       \xe2\x80\xa2   streamline the examination process,\n\n       \xe2\x80\xa2   track evidence through the examination process,\n\n       \xe2\x80\xa2   provide quality and inventory control, and\n\n       \xe2\x80\xa2   provide management information relating to efficiency\n           measures.\n\nFor example, if another laboratory needed any information on an item\nof evidence, FBI management would be able to log into the system,\neasily locate the evidence, and determine where the evidence was in\nthe laboratory examination process and what needed to be completed.\nLaboratory managers would also be able to determine the length of\ntime the evidence was at each stage of the testing and analysis.\n\n\n       9\n          A firm-fixed-price contract provides for a price that is not subject to\nadjustments for the actual costs in performing work under the contract. The\ncontract for the information system also provided for cost-reimbursable delivery\norders to migrate the ECS data into the new system. Cost-reimbursable contracts\npay allowable incurred costs to the extent prescribed in the contract.\n\n                                       - 3-\n\x0c      The FBI also required bidders\xe2\x80\x99 products to support the many\nresponsibilities associated with the operation of a large and modern\nforensic laboratory by providing a repository for laboratory data as well\nas tools for accessing, processing, analyzing (providing performance\nmetrics), and reporting the data. The RFP included 200 requirements\nin 7 categories: (1) functional requirements, (2) external interface\nrequirements, (3) performance requirements, (4) design constraints,\n(5) security and legality, (6) data base requirements, and (7) system\nsupport and maintenance. Examples of the RFP requirements include\nthe identification and tracking of evidence, a web-browser interface,\nand full-time user support.\n\n      The FBI received and began evaluating six responses to the RFP\nin early 2003. The Laboratory Division formed cost and technical\ncommittees to evaluate the proposals. The cost committee was\ncomprised of personnel from the FBI\xe2\x80\x99s Finance Division, and the\ntechnical committee was comprised of personnel from the Laboratory\nDivision. The evaluations included an examination of each bidder\xe2\x80\x99s\ncosts based on the requirements listed in the RFP. The FBI\xe2\x80\x99s technical\nreview committee completed its evaluation of the bidders\xe2\x80\x99 responses to\nthe RFP in June 2003.\n\n      The FBI rated JusticeTrax, Inc., of Mesa, Arizona, as the lowest\ncost, qualified bidder for its Laboratory Information Management\nSystem (LIMS). 10 The technical committee rated JusticeTrax as\nfollows.\n\n                          AREA               RATING\n              Technical \xe2\x80\x93 Functional\n                                           Acceptable\n              Requirements\n              Technical \xe2\x80\x93 Performance Plan Exceptional\n              Past Performance             Exceptional\n              Management                   Exceptional\n\n      The FBI\xe2\x80\x99s evaluation of the JusticeTrax proposal cited some\nstrengths but also areas of risk. Examples of JusticeTrax\xe2\x80\x99s strengths\nwere: (1) It had a mature COTS system used by organizations with\nmissions similar to the FBI\xe2\x80\x99s, including the Royal Canadian Mounted\nPolice Forensic Services Laboratory; and (2) LIMS was already\nintegrated with bar-code scanner and printers that could be provided\n\n      10\n        The JusticeTrax product is called the Laboratory Information Management\nSystem\xe2\x80\x93plus. We refer to the system as LIMS throughout this report.\n\n                                      - 4-\n\x0cfor testing within 15 days and for implementation within 45. Although\nthe committee assessed LIMS as meeting the laboratory\xe2\x80\x99s mission-\ncritical needs, the evaluation also identified two key risks in addition to\nan ambitious delivery schedule: (1) because JusticeTrax is based in\nArizona, it needed to hire employees to work on the project in Virginia,\ntrain them, and have them obtain security clearances within the\ntimeframe proposed; and (2) the JusticeTrax product required\nsignificant customization of its software to meet the FBI\xe2\x80\x99s\nrequirements such as security standards, migrating data from the ECS,\nand providing the capability to issue alerts and notices. Another\nconcern was that JusticeTrax did not have the capability to provide\nweb-browser connectivity immediately, but instead proposed\nconverting its LIMS product to a web-based application in early 2004.\n\nJusticeTrax LIMS Product Selected\n\n       Based on its evaluation of the six proposals received in response\nto its RFP, the FBI awarded JusticeTrax a $4.3 million contract in\nSeptember 2003 to customize its LIMS product for the FBI\xe2\x80\x99s\nlaboratory. 11 The award included a base year of $1.6 million and 4\nadditional 1-year option contracts. The base year was September\n2003 to September 2004. Rather than developing a separate contract\ndocument that included all of the RFP requirements for the information\nsystem, the FBI adopted JusticeTrax\xe2\x80\x99s response to the RFP as the\ncontract by attaching a signature page to the proposal. This proposal\ncovered all the FBI\xe2\x80\x99s LIMS requirements, which included weak and\ngenerally worded security requirements. According to JusticeTrax\xe2\x80\x99s\nproposed project plan, the basic LIMS installation, training, and\ndeployment were to be completed in December 2003, or 90 days after\nthe contract award. The full LIMS implementation \xe2\x80\x94 including\ncustomization, enhancements, and testing \xe2\x80\x94 was to be completed in\nFebruary 2004, or 5 months after the contract award. The additional\noption year contracts were to provide future enhancements such as\nsoftware updates and maintenance of the LIMS product.\n\n\n\n\n       11\n           The JusticeTrax website, www.justicetrax.com, states that it has\nexperience in software development, customization, integration, testing, and\ntraining. Additional services include data migration, custom report development,\ntraining, and enhanced network support.\n\n                                       - 5-\n\x0cPrior Reports\n\n       The Office of the Inspector General (OIG) and the Government\nAccountability Office (GAO) each issued reports in 2002 recommending\nthat the FBI establish an Information Technology Investment\nManagement (ITIM) process to guide the development of its IT\ninvestments and avoid investing in IT that does not support its mission\n(see Appendix 3 for a listing of the reports related to the FBI\xe2\x80\x99s IT\nmanagement.) 12 In response to these recommendations, the FBI\nestablished a Life Cycle Management Directive (LCMD) in 2004, the\nyear after the FBI awarded the LIMS contract. The LCMD established\npolicies and guidance applicable to all FBI IT programs and projects\ncovering all elements of an IT system\xe2\x80\x99s life cycle including planning,\nacquisition, development, testing, and operations and maintenance.\nUsing the LCMD in the development of IT projects should enhance the\nFBI\xe2\x80\x99s ability to manage IT programs and projects, leverage technology,\nbuild institutional knowledge, and ensure development is based on\nindustry and government best practices. The LCMD also included\ncertification and accreditation testing to ensure adequacy of IT\nsystems security. (The LCMD is further explained in Appendix 4.) In\naddition to an ITIM process, the FBI continues to work on an\nEnterprise Architecture to further ensure that investments are made in\nan enterprise-wide decision. 13\n\n      In May 2004, the OIG issued a report entitled The FBI DNA\nLaboratory: A Review of Protocol and Practice Vulnerabilities. This\nreport discussed certain vulnerabilities in the FBI\xe2\x80\x99s DNA laboratory.\nOne of the vulnerabilities led to a recommendation for an information\nmanagement system. Given the benefits of evidence tracking and\nchain-of-custody documentation, the report noted that successful\nimplementation of such a system should be one of the laboratory\xe2\x80\x99s top\nadministrative priorities.\n\n\n       12\n           The Department of Justice, Office of the Inspector General. The Federal\nBureau of Investigation\xe2\x80\x99s Management of Information Technology Investments, Audit\nReport Number 03-09, December 2002. The Government Accountability Office.\nCampaign Finance Task Force Problems and Disagreements Initially Hampered\nJustice\xe2\x80\x99s Investigation, Report Number GAO/GGD-00-101BR, May 2002.\n       13\n           According to the GAO, an Enterprise Architecture is a set of descriptive\nmodels such as diagrams and tables that define, in business and technology terms,\nhow an organization operates today, how it intends to operate in the future, and how\nit intends to invest in technology to transition from today\xe2\x80\x99s operational environment\nto tomorrow\xe2\x80\x99s.\n\n                                        - 6-\n\x0c               FINDINGS AND RECOMMENDATIONS\n\n\nInadequate Management of the Laboratory Information\nManagement System Project\n\n     The FBI wasted $1,175,015 in attempting to implement\n     the long-delayed LIMS project, which failed primarily due\n     to uncorrectable security flaws. The LIMS project suffered\n     from a series of delays, in part due to the extent of\n     customization required to adapt JusticeTrax\xe2\x80\x99s commercially\n     available system to meet the FBI\xe2\x80\x99s requirements. The\n     LIMS project was unsuccessful because the FBI did not\n     apply rigorous IT investment management processes,\n     including strong and consistent IT project management,\n     and inadequately considered the risks inherent in\n     JusticeTrax\xe2\x80\x99s ability to modify its LIMS software to meet\n     the FBI\xe2\x80\x99s particular needs. The FBI terminated the LIMS\n     contract in January 2006 after 28 months. The basic\n     system had intended to be delivered within 90 days of the\n     September 2003 contract award.\n\nProject Delays\n\n      JusticeTrax proposed installing its LIMS software within 90 days\nof the September 2003 contract award. However, a series of delays\nbegan soon after the contract was awarded. One of the reasons for\nthe delays was that JusticeTrax\xe2\x80\x99s president and chief shareholder was\na foreign national, which created security concerns requiring an\nevaluation. Also, the firm lacked IT personnel in Quantico, Virginia\nwith security clearances to work on the project. Moreover, extensive\ncustomization of JusticeTrax\xe2\x80\x99s off-the-shelf system was needed to\nmeet the FBI\xe2\x80\x99s requirements, but the LIMS software used an outdated\nprogramming language that made customization difficult and slow.\n\n      In January 2004, 4 months after the LIMS contract was awarded,\nthe FBI\xe2\x80\x99s contracting officer, who is responsible for the overall\nimplementation of the contract, and the contracting officer\xe2\x80\x99s technical\nrepresentative (COTR), who directly monitors the contract, were both\nreplaced due to personnel changes in the FBI\xe2\x80\x99s Laboratory Division.\nBoth of the individuals replaced were involved in the initial\ndevelopment of the information management project, including the\n\n\n                                 - 7-\n\x0csystem requirements. Shortly afterward, a series of problems arose in\nthe implementation of the LIMS project.\n\n       In March 2004, the president of JusticeTrax informed the new\nCOTR that he was a foreign national. While the former COTR was\naware of the president\xe2\x80\x99s status prior to awarding the contract, he did\nnot view the lack of U.S. citizenship as a problem because he believed\nthe president was not going to be involved in the coding of the system.\nAdditionally, the contract did not specify work to be performed at the\nclassified level, even though the LIMS database was to include\nclassified and other sensitive information such as grand jury data. The\nnewly appointed COTR stated that she believed a risk existed with the\nproject because the LIMS would include sensitive information and the\nJusticeTrax president might be directly involved in the LIMS\ndevelopment. Additionally, the RFP included a Department of Justice\nmandated provision prohibiting non-U.S. citizens from having access\nto or being involved in the development of any Department IT system.\nAfter evaluating the security risk, the Laboratory Division, the Security\nDivision, the Financial Division, and the Office of General Counsel\nagreed that the JusticeTrax president being a foreign national was a\nlow risk; therefore the FBI decided to continue the contract. In our\nview, it was predictable that because JusticeTrax is a small\norganization of about 20 employees, the president would need to be\ninvolved in managing the project. The FBI\xe2\x80\x99s security concerns led the\nJusticeTrax president to sign an agreement in April 2004 not to be\ninvolved in the development, operation, management, or maintenance\nof LIMS.\n\n       The COTR followed up on her concerns, believing that the\nsensitivity of the LIMS and the data it would hold required additional\nassurances. As a result, the FBI performed a Community Acquisition\nRisk Center (CARC) threat analysis. In August 2004, the FBI\xe2\x80\x99s\nCounterintelligence Division issued a CARC Company Threat Analysis\nmemorandum stating JusticeTrax was eligible to perform the contract.\nFinally, in September 2004, 1 year after the contract was signed, the\nJusticeTrax president became a U.S. citizen, and the recusal\nagreement was rescinded.\n\n      The foreign ownership issue should have been addressed by the\nFBI during the pre-acquisition phase of the project. Because of the\nsecure nature of the LIMS system, the FBI should have taken steps to\nensure that all of the potential contractors were familiar with the\nsecurity requirements of the system and of the Department of Justice\xe2\x80\x99s\n\n                                  - 8-\n\x0cmandate prohibiting non-U.S. citizens from being involved in the\ndevelopment of a Department system. As a result of not taking\nmeasures to ensure that the potential contractors for the project met\nthese requirements, the COTR had to take actions that delayed the\nproject\xe2\x80\x99s implementation after the contract had been awarded.\n\n       Another obstacle to the implementation of the LIMS was a lack\nof personnel with security clearances at JusticeTrax to work on the\nproject in Quantico, Virginia. JusticeTrax did not provide the FBI with\nsecurity clearance information on its personnel until almost 2 months\nafter the contract award, and the security clearance process took an\nadditional 3 to 8 months. This meant that JusticeTrax could not begin\nimplementing LIMS until early 2004, after the basic product was to\nhave been deployed in accordance with JusticeTrax\xe2\x80\x99s schedule.\n\n        A third problem required the basic LIMS product to have\nextensive customization to meet the FBI\xe2\x80\x99s requirements, resulting in\nfurther delays. According to an FBI official in May 2005, the COTS\nproduct was 95-percent customized. In essence, the FBI\xe2\x80\x99s LIMS would\nno longer be a COTS product but an FBI-unique system. This process\nwas slow because the LIMS software relies on a dated code format,\nVisual FoxPro, requiring more intensive coding than more modern\nformats. 14 Visual FoxPro is considered an outdated form of code, but\nit is still compatible with today\xe2\x80\x99s technology. While the FBI\xe2\x80\x99s requests\nfor a customized system caused delays, the old code used in the LIMS\nsoftware exacerbated these delays.\n\nFBI Attempts to Correct Project Delays\n\n       The FBI became aware of the delays and deficiencies with LIMS\nearly in the project. While the LIMS software was functional, it had\nsecurity vulnerabilities and did not yet meet the FBI\xe2\x80\x99s requirement for\na web-browser interface. Although the basic LIMS was to be\nimplemented in 90 days (December 2003), the delays in the project\nresulted in two no-cost extensions, with the base year slipping\n15 months. In 2004, it became increasingly apparent to the FBI that\nfull implementation of LIMS appeared unlikely, even though\nJusticeTrax had already trained laboratory personnel in operating the\nsystem.\n\n\n      14\n        Visual FoxPro, developed by Fox Software beginning in 1984, is a\nprogramming language used to develop database applications.\n\n\n                                      - 9-\n\x0c       On December 6, 2004, the FBI issued a Show Cause Notice to\nJusticeTrax stating that JusticeTrax failed to meet the deadline for\nimplementation. 15 The notice also provided JusticeTrax with a list of\nfailed tasks including: (1) ensuring system security, (2) migrating\nlegacy ECS data to LIMS, and (3) passing acceptance testing of the\nsystem. The Show Cause Notice stated that although the LIMS was\ndelivered, the system had to pass security testing as well as\nacceptance testing. On December 9, 2004, JusticeTrax responded that\nthe delays the FBI detailed in the Show Cause Notice were\nrequirements not immediately apparent in the contract. JusticeTrax\nalso stated that neither it nor FBI staff had any detailed information\nregarding the process and what was to be tested. We also noted that\nthe FBI did not provide JusticeTrax with specifics of how to meet the\ncertification and accreditation (C&A) requirements.\n\n      On February 11, 2005, the FBI issued a letter to JusticeTrax\nstating the initial security review of LIMS during the security testing\nprocess identified risks that had to be corrected before further testing\ncould proceed.\n\nLCMD Review Board\n\n      The FBI awarded the LIMS contract 14 months prior to the\nimplementation of its LCMD, a critical initiative that provided the FBI\nwith sound and structured IT investment management processes to\nhelp ensure successful IT projects. Once the LCMD was implemented,\nthe FBI required all ongoing IT projects to follow the LCMD processes\nfor the projects\xe2\x80\x99 current stages of development. The FBI\xe2\x80\x99s Chief\nInformation Officer (CIO) stated the FBI\xe2\x80\x99s IT investment review boards\nbegan reviewing ongoing projects that predated the LCMD. The review\nboards examined high-dollar, high-risk projects first, concentrating on\nthe top 30 to 40 projects. LIMS was not reviewed for about 6 months\nbecause the project did not meet the criteria for priority review.\n\n       On May 20, 2005, the FBI\xe2\x80\x99s Information Management Project\nReview Board (IMPRB), one of the review boards established in the\nLCMD, reviewed the LIMS project. During the review, laboratory\nofficials described the history of LIMS, including the laboratory\xe2\x80\x99s need\nfor an information management system and the delays experienced in\n\n      15\n          A contracting agency sends a Show Cause Notice to the contractor stating\nthe delinquencies and timeframe to resolve the problems.\n\n                                      - 10-\n\x0ctrying to implement the LIMS project. At the time of the review,\nJusticeTrax had already trained the FBI\xe2\x80\x99s would-be LIMS users.\nAlthough LIMS was functional, it had not yet been brought online\nbecause it did not meet all of the FBI\xe2\x80\x99s security requirements. The\nreview board also learned that although JusticeTrax\xe2\x80\x99s basic LIMS was a\nCOTS system, the software had undergone extensive modification so\nthat about 95 percent of the FBI\xe2\x80\x99s version of LIMS was based on\ncustom code. A member of the IMPRB doubted the project would pass\nthe FBI\xe2\x80\x99s security certification and accreditation testing. The FBI\xe2\x80\x99s\nSecurity Division provides C&A, authorizing the deployment and\noperation of a system, only if it deems a system secure based on its\ntesting and evaluation. FBI officials agreed that if LIMS could not pass\nC&A, then the project should be cancelled. The IMPRB expressed\nadditional concerns about project risks, including the fact that the\nVisual FoxPro code used for JusticeTrax\xe2\x80\x99s LIMS is old technology and\nwhether the small firm could adequately support the system into the\nfuture. The IMPRB recommended that a Red Team be assembled to\nreview the LIMS project and consider alternative approaches. 16\n\n       The FBI formed a LIMS Red Team in July 2005 with\nrepresentatives of the Laboratory Division, the Office of General\nCounsel, the Office of the CIO, the Finance Division, and the ITOD.\nThe team held meetings from July through October 2005 and\npresented its findings, conclusions, and recommendations to the FBI\xe2\x80\x99s\nCIO in October. From the beginning of its review, the Red Team\nidentified serious technical deficiencies with LIMS, which included:\n\n      \xe2\x80\xa2    The requirement for a web-browser interface had not been\n           satisfied;\n\n      \xe2\x80\xa2    There were security vulnerabilities associated with\n           administrative shares (auditable records);\n\n      \xe2\x80\xa2    The transmission between client and server interface was\n           inherently insecure; and\n\n      \xe2\x80\xa2    The technical architecture was not suitable to ensure chain of\n           custody requirements.\n\n\n\n      16\n          Red Teams review and advise on FBI IT projects that miss cost, schedule,\nor performance thresholds.\n\n\n                                      - 11-\n\x0c      The Red Team recommended terminating the JusticeTrax LIMS\ncontract because the system could not pass C&A. The team also\nsuggested that BizFlow, a product the FBI is licensed to use, might be\na suitable alternative. 17 According to the Red Team, BizFlow has the\ncapability to integrate workflows with information management, create\nand replicate forms, provide formatted and customizable reports, and\nhandle bar-coding equipment.\n\nCertification and Accreditation\n\n       As the IT review board predicted, C&A testing led to the\ntermination of the LIMS contract. As part of the LCMD, C&A is the\nFBI\xe2\x80\x99s management control for ensuring the adequacy of computer\nsystems\xe2\x80\x99 security. The C&A testing and evaluation process is designed\nto ensure the FBI\xe2\x80\x99s systems are designed securely and remain secure\nthroughout their life cycle. If the Security Division\xe2\x80\x99s testing and\nevaluation determine that a new system is secure, the Security\nDivision provides accreditation and approves the system to enter into\noperations within the FBI\xe2\x80\x99s IT architecture.\n\n      The LIMS RFP required security to be part of the system.\nHowever, due to several high-profile espionage-related security\nbreaches within the FBI, the FBI strengthened C&A requirements after\nthe September 2003 award of the LIMS contract. The specifics were\nnot available to JusticeTrax until the FBI provided the results of the\nFBI\xe2\x80\x99s Security Division\xe2\x80\x99s Certification Test Report to JusticeTrax in\nAugust 2005. The report stated that LIMS failed testing in four key\nareas: (1) password storage, (2) auditing capability, (3) control of\ngrand jury evidence, and (4) shared directory (information sharing\noutside the laboratory).\n\n      In September 2005, the Security Division began testing for a\nsecond Certification Test Report after JusticeTrax provided patches to\nthe LIMS software based on the first report. The FBI performed tests\nto ensure that the system was at an approved baseline security\nconfiguration and that the system presented little or no risk to FBI\nsystems or data. However, the Security Division identified 14\nvulnerabilities according to the ease of exploiting the system. The 14\nfindings ranged from \xe2\x80\x9crequires expert-level knowledge to exploit the\nvulnerability to gain access to the system\xe2\x80\x9d to \xe2\x80\x9cdoes not require tools or\nexpert-knowledge to exploit and gain access to the system.\xe2\x80\x9d The\n\n      17\n           BizFlow is a workflow and information management system.\n\n                                      - 12-\n\x0csignificance level, meaning impact if exploited, for all 14 vulnerabilities\nwas rated high. 18\n\nTermination of the Project\n\n      By October 2005, it became clear to the FBI that LIMS would not\nmeet the FBI\xe2\x80\x99s security and other requirements. The FBI gave\nJusticeTrax an opportunity to correct the system\xe2\x80\x99s deficiencies, but\nthose efforts were unsuccessful. Eventually, after 28 months of effort,\nthe FBI terminated the LIMS contract.\n\n       On October 4, 2005, the FBI issued a Cure Notice to Justice Trax\nstating that the LIMS software application was not able to successfully\npass the FBI\xe2\x80\x99s Security C&A Testing. 19 In the Cure Notice, the FBI\nidentified two outstanding concerns: (1) system security, and\n(2) the lack of a fully functional web-browser interface. JusticeTrax\nattempted to correct the security flaws, but the FBI\xe2\x80\x99s Security Division\ndid not accept the corrections. JusticeTrax planned to provide the web\nbrowser at a later date.\n\n      Based on the Certification Test Report and its finding that LIMS\nposed a very high security risk, the Security Division recommended on\nOctober 17, 2005, that LIMS not be accredited. The C&A process\nfound that the system\xe2\x80\x99s vulnerabilities could not be mitigated due to\nthe inherent design of the software. Therefore, the certifier\nrecommended against granting an approval to operate the system. 20\n\n       At the end of October 2005, the FBI issued a Stop-work Order to\nJusticeTrax. According to the Federal Acquisition Regulation,\nsituations may occur during contract performance that cause the\ngovernment to order a suspension of work, or a work stoppage. A\nStop-work Order may be issued in any negotiated fixed-price or cost-\nreimbursement supply, research and development, or service contract\n\n       18\n            In the Certification Test Report, the Security Division explained the high\nsignificance level as extensive damage due to loss, corruption, or compromise of\nNational Security Information; prolonged denial of service of data; endangerment of\nlife; loss of integrity mechanisms; or corruption of security policies and rules.\n       19\n           A Cure Notice notifies the contractor of specific problems requiring\ncorrective action and establishes a 10-day time period to provide corrections.\n       20\n           One security flaw was the inability of LIMS to meet the confidentiality and\nintegrity requirements for the protection of evidentiary or grand jury data.\n\n\n                                         - 13-\n\x0cdue to advancement in the state-of-the-art, production or engineering\nbreakthroughs, or realignment of programs.\n\n      In January 2006, the FBI issued a contract termination letter to\nJusticeTrax. In March 2006, the FBI and JusticeTrax agreed to\nterminate the contract. The FBI agreed to pay JusticeTrax an\nadditional $523,932, and the contractor waived any claims arising\nfrom the contract.\n\nCIO\xe2\x80\x99s Observations\n\n       The FBI\xe2\x80\x99s CIO noted to the OIG that the LIMS contract was\nawarded before the FBI\xe2\x80\x99s IT investment management controls were\nimplemented through the LCMD. He stated that in his opinion, the\nLIMS project demonstrates the success of the FBI\xe2\x80\x99s LCMD because the\nFBI terminated the project after the IMPRB review and the C&A\nprocess showed that the LIMS system\xe2\x80\x99s serious deficiencies could not\nbe corrected. The CIO noted that the LCMD process now requires\nproject managers to come before review boards so that the FBI\xe2\x80\x99s\ndivisions no longer manage IT projects in isolation. The CIO stated\nthat the controls provided by the LCMD help to detect problems earlier\nin a project\xe2\x80\x99s life cycle.\n\nJusticeTrax\xe2\x80\x99s Observations\n\n       JusticeTrax officials stated that in their opinion, the failure of the\nLIMS project was due to the FBI\xe2\x80\x99s lack of communication, information\nsharing, and resources. They also stated that the FBI did not provide\na \xe2\x80\x9cchampion,\xe2\x80\x9d that is, an FBI official who would work to ensure the\nsuccess of the project. Finally, JusticeTrax officials said that the FBI\ninsisted on requirements, especially regarding system security, that\nwere not specified in the contract. Although the contract included a\nprovision for security, JusticeTrax officials stated that details for the\nC&A requirements were never provided. After reviewing the\nrequirements in the contract, we agree that the security requirements\nwere too general to provide enough detail on how to meet the\nrequirements.\n\nLaboratory Division\xe2\x80\x99s New Review Process\n\n      In addition to the FBI\xe2\x80\x99s LCMD, the Laboratory Division had\nestablished in October 2005 a division-wide Major Acquisition Review\nCommittee (MARC) to strengthen the oversight of the Laboratory\n\n                                    - 14-\n\x0cDivision\xe2\x80\x99s acquisitions, including IT investments. The MARC will assist\nLaboratory managers to ensure that Laboratory projects adhere to all\nDepartment of Justice and FBI requirements for sound project and\nfinancial management. The MARC mirrors the LCMD, but covers all\nprojects rather than only the IT projects covered by the LCMD. The\npurpose of the MARC is to:\n\n      \xe2\x80\xa2   review and approve Laboratory Division investments that\n          meet the following thresholds: acquisition requests totaling\n          $250,000 or more, IT requests totaling $50,000 or more, and\n          all projects totaling $100,000 or more;\n\n      \xe2\x80\xa2   ensure that the requests are aligned with the Laboratory\n          Division Strategic and Program Plans;\n\n      \xe2\x80\xa2   ensure that the requests have been included in the\n          Laboratory Division\xe2\x80\x99s Fiscal Year Spend Plan;\n\n      \xe2\x80\xa2   ensure that acquisition rules, regulations, and requirements\n          have been appropriately adhered to;\n\n      \xe2\x80\xa2   ensure that project management standards and practices are\n          being implemented and appropriately reviewed;\n\n      \xe2\x80\xa2   ensure that all IT requests are properly prepared and are\n          aligned with the FBl's Enterprise Architecture, and adhere to\n          the Office of the CIO\xe2\x80\x99s requirements; and\n\n      \xe2\x80\xa2   ensure resolution of concerns affecting the acquisition project\n          (e.g., mission alignment, requirements, technology, security,\n          information sharing, funding, and risks).\n\nProject Costs\n\n     The base year of the LIMS contract was September 2003 to\nSeptember 2004, with a $1.6 million budget. The base year could be\nextended by four 1-year contract options, bringing the total contract\nbudget to $4.3 million.\n\n      Prior to the Red Team\xe2\x80\x99s decision to recommend termination, the\nFBI paid JusticeTrax a total of $856,219 in personnel, training, and\nequipment costs. This included $205,136 in hardware that the\nLaboratory Division purchased from JusticeTrax that can be used by\n\n                                  - 15-\n\x0cthe FBI laboratory separate from LIMS. 21 During our audit, we\nreviewed and verified that all expenses were supported by invoices.\n\n      When the FBI terminated the LIMS contract, the FBI and\nJusticeTrax agreed to a settlement of $523,932. Therefore, the FBI\nspent a total of $1,380,151 on the LIMS contract as shown in the table\nbelow.\n\n                   FBI Payments to JusticeTrax\n       Personnel and training                                    $651,083\n       Equipment                                                 $205,136\n       Termination agreement                                     $523,932\n       Total                                                   $1,380,151\n      Source: FBI data\n\nThe FBI wasted $1,175,015 on the LIMS project: $1,380,151 paid to\nJusticeTrax less the reusable equipment totaling $205,136. 22\n\nLIMS Alternatives\n\n      The FBI Laboratory Division\xe2\x80\x99s need for an information\nmanagement system remains. To fulfill the need, the FBI is\nconsidering other COTS systems. For example, the Red Team that\nevaluated JusticeTrax\xe2\x80\x99s LIMS recommended Bizflow software, which is\nused for workflow and information management. The FBI purchased\nBizflow to use within the FBI in general, but the software has not yet\ngone through C&A testing or other LCMD processes. Alternative\nsolutions might also be found in other Department of Justice\ncomponents\xe2\x80\x99 or other federal agencies\xe2\x80\x99 laboratory information\nsystems. For example, the FBI has obtained information from the\nDrug Enforcement Administration on its ongoing project to acquire a\nsystem for managing evidence. The Bureau of Alcohol, Tobacco,\nFirearms and Explosives is also expected to deploy a new laboratory\ninformation system in the spring of 2006 that has been under\ndevelopment for over 5 years.\n\n      21\n          Of the $205,136 of equipment purchased, $144,070 was purchased with\nreprogrammed, non-project laboratory funds. The laboratory purchased 50 printers\nand 50 scanners for $61,066. Then, in expectation of implementing the project, the\nlaboratory purchased additional bar-coding equipment with the $144,070 in\nreprogrammed funds.\n      22\n        The equipment was purchased from JusticeTrax as part of the contract\nagreement.\n\n                                      - 16-\n\x0cConclusion\n\n       We concluded that the FBI\xe2\x80\x99s inability to implement the LIMS\nsystem and its loss of nearly $1.2 million in the attempt was a shared\nresponsibility between the FBI and JusticeTrax. The project began\nbefore the FBI had established its ITIM processes. When those\nprocesses were implemented, they helped identify problems with the\nproject that ultimately led to terminating the contract before losing\nadditional money. Still, the FBI did not do its homework before\nawarding the contract, including adequately identifying and assessing\nthe risks in selecting JusticeTrax, and in vastly modifying the\ncompany\xe2\x80\x99s COTS LIMS product. The FBI had a responsibility to not\nonly ensure that JusticeTrax understood the system requirements, but\nthat JusticeTrax also had the technical capacity to fulfill the\nrequirements.\n\n      In addition, the FBI did not adequately document for JusticeTrax\nthe security requirements for certification and accreditation of the\nLIMS software. To the extent security requirements evolved, those\nchanges should have been made clear through contract modifications,\nif necessary. The FBI also should have identified the citizenship\nproblem of the JusticeTrax president, foreseen the security clearance\nrequirements for JusticeTrax personnel, and assessed the problems\nand delays inherent in requiring major modifications to tailor a COTS\nsystem \xe2\x80\x94 especially one based on an outdated code. A firmly\nmanaged schedule, and cost, technical, and performance benchmarks,\nwould have raised danger signs early in the project and perhaps led to\nresolution much more rapidly. Among the FBI\xe2\x80\x99s weaknesses were:\n(1) the lack of established IT management processes to ensure a\nsound project and identify problems early, and (2) not designating a\nproject manager to oversee the project. Also, two key contracting\npersonnel, both of whom were involved in the development of the\nLIMS requirements, left the project only 4 months after the contract\nwas awarded. This lack of continuity and institutional knowledge likely\ncontributed to the poor outcome of the LIMS project.\n\n       Because JusticeTrax did not provide personnel with security\nclearances to work on the system, and its president was not a U.S.\ncitizen, JusticeTrax contributed to the early delays in starting the\nproject. It was incumbent upon JusticeTrax to meet all FBI\nrequirements for the system, including mandatory security protections.\nHowever, JusticeTrax has a legitimate point that some details of the\nrequirements were unknown at the start of the project.\n\n                                 - 17-\n\x0c      JusticeTrax\xe2\x80\x99s use of outdated code made modifications difficult\nand time-consuming, and JusticeTrax did not properly assess its ability\nto perform the work required to adapt its system to operate in the FBI\nenvironment. Also, while JusticeTrax intended to make its system\nweb-based, the delays in the project prevented that before the\ncontract was terminated.\n\n      Because JusticeTrax was unable to mitigate unacceptable\nsecurity vulnerabilities, the FBI had no choice but to terminate the\nLIMS contract. As a result, the FBI\xe2\x80\x99s Laboratory Division continues to\nlack a modern system to track evidence through the laboratory and\notherwise manage its laboratory operations because it is difficult to\ndetermine the location and status of evidence at any given point in\ntime or to determine how long the process is taking. We believe the\nFBI should consider adopting a COTS workflow system for its\nlaboratory information system or an acceptably secure information\nmanagement system used by another federal law enforcement entity.\n\n      We agree with FBI officials who stated that the FBI\xe2\x80\x99s LCMD\nshould prevent problems such as those encountered with LIMS if the\nprocesses are applied as intended with detailed requirements for the\ncontracting process, management oversight boards, and other controls\nto ensure troubled projects are identified sooner and can be remedied.\n\n\n\n\n                                 - 18-\n\x0cRecommendations\n\n     We recommend that the FBI:\n\n1.   Consider whether a COTS workflow system or laboratory\n     information management systems in use or under development\n     within the federal government will meet the needs of the FBI\n     laboratory.\n\n2.   Ensure that any project to provide a laboratory information\n     management system not only follows the FBI\xe2\x80\x99s LCMD but is\n     overseen by an experienced IT project manager.\n\n3.   Establish cost controls to ensure that training or other expenses\n     are not incurred prematurely in the development of a successor\n     to the LIMS project.\n\n\n\n\n                                - 19-\n\x0c STATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS\n\n      This audit assessed the status of the FBI\xe2\x80\x99s Laboratory\nInformation Management System (LIMS) project. In connection with\nthe audit, we reviewed management processes and records to obtain\nreasonable assurance that the FBI\xe2\x80\x99s compliance with laws and\nregulations that, if not complied with, in our judgment, could have a\nmaterial effect on FBI operations. Compliance with laws and\nregulations applicable to the FBI\xe2\x80\x99s LIMS project is the responsibility of\nthe FBI\xe2\x80\x99s management.\n\n      Our audit included examining, on a test basis, evidence about\nlaws and regulations. The specific laws and regulations against which\nwe conducted our tests are contained in the relevant portions of the\nFederal Acquisition Regulation.\n\n      Our audit identified no areas where the FBI was not in\ncompliance with the laws and regulations referred to above. With\nrespect to transactions that were not tested, nothing came to our\nattention that caused us to believe that FBI management was not in\ncompliance with the laws and regulations cited above.\n\n\n\n\n                                  - 20-\n\x0c            STATEMENT ON INTERNAL CONTROLS\n\n       In planning and performing our audit of the FBI\xe2\x80\x99s Laboratory\nInformation Management System (LIMS) project, we considered the\nFBI\xe2\x80\x99s internal controls for the purpose of determining our audit\nprocedures. This evaluation was not made for the purpose of\nproviding assurance on the internal control structure as a whole.\nHowever, we noted certain matters that we consider to be reportable\nconditions under the Government Auditing Standards.\n\n       Reportable conditions involve matters coming to our attention\nrelating to significant deficiencies in the design or operation of the\nmanagement control structure that, in our judgment, could adversely\naffect the FBI\xe2\x80\x99s ability to manage its LIMS project. During our audit,\nwe identified the following management control concerns.\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s Laboratory Division remains without an information\n          management system to aid laboratory mangers in overseeing\n          the operations of the laboratory.\n\n      \xe2\x80\xa2   The FBI initially lacked an Information Technology Investment\n          Management process, but has corrected that deficiency.\n\n       Because we are not expressing an opinion on the FBI\xe2\x80\x99s internal\ncontrol structure as a whole, this statement is intended solely for the\ninformation and use of the FBI in managing its IT investments. This\nrestriction is not intended to limit the distribution of this report, which\nis a matter of public record.\n\n\n\n\n                                   - 21-\n\x0c                                                          APPENDIX 1\n\n             OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\n      The primary objectives of the audit were to: (1) determine the\nstatus of the LIMS project; (2) assess the information technology\ninvestment management process used for LIMS; (3) assess project\nmanagement and other management controls; and\n(4) determine project costs.\n\nScope and Methodology\n\n      The audit was performed in accordance with the Government\nAuditing Standards and included tests and procedures necessary to\naccomplish the audit objectives. We conducted work at the FBI\nLaboratory Division in Quantico, Virginia; FBI Headquarters in\nWashington, D.C.; and JusticeTrax corporate headquarters in Mesa,\nArizona.\n\n       We interviewed officials from the FBI and JusticeTrax. The FBI\nofficials interviewed were from the Laboratory Division, Office of the\nChief Information Officer, Office of General Counsel, Finance Division,\nand Criminal Justice Information Services. Additionally, we reviewed\nFBI documents on the LIMS project and budget, and prior GAO and\nOIG reports.\n\n      To determine the current status of the LIMS project, the\nInformation Technology Investment Management processes used, and\nthe extent of project management and other management controls, we\ninterviewed FBI personnel and reviewed correspondence between the\nFBI and JusticeTrax. To determine LIMS project costs, we examined\nthe contract budget, cost spreadsheets, and product invoices.\n\n\n\n\n                                 - 22-\n\x0c                                              APPENDIX 2\n\n                   ACRONYMS\n\nATF     Bureau of Alcohol, Tobacco, Firearms, and Explosives\nCARC    Community Acquisition Risk Center\nC&A     Certification and Accreditation\nCIO     Chief Information Officer\nCOTS    Commercial Off-the-Shelf\nDEA     Drug Enforcement Administration\nECS     Evidence Control System\nFBI     Federal Bureau of Investigation\nGAO     Government Accountability Office\nIMPRB   Investment Management Project Review Board\nIT      Information Technology\nITIM    Information Technology Investment Management\nITOD    Information Technology Operations Division\nLCMD    Life Cycle Management Directive\nLIMS    Laboratory Information Management System\nJAD     Joint Application Development\nMARC    Major Acquisition Review Committee\nOIG     Office of the Inspector General\nRFP     Request for Proposal\n\n\n\n\n                      - 23-\n\x0c                                                             APPENDIX 3\n\n             PRIOR REPORTS ON THE FBI\xe2\x80\x99S INFORMATION\n                        TECHNOLOGY\n\n      Below is a listing of relevant reports concerning the FBI\xe2\x80\x99s\ninformation technology (IT) systems. These include reports issued by\nthe Department of Justice Office of the Inspector General (OIG) and\nthe Government Accountability Office (GAO).\n\nOIG Reports on the FBI\xe2\x80\x99s IT\n\n      OIG reports issued over the past 15 years have highlighted\nissues concerning the FBI\xe2\x80\x99s utilization of IT, including its investigative\nsystems. In 1990, the OIG issued The FBI\xe2\x80\x99s Automatic Data\nProcessing General Controls, which found that:\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s phased implementation of its 10-year Long Range\n          Automation Strategy, scheduled for completion in 1990, was\n          severely behind schedule and may not be accomplished;\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s Information Resources Management program was\n          fragmented and ineffective, and the FBI\xe2\x80\x99s Information\n          Resources Management official did not have effective\n          organization-wide authority;\n\n      \xe2\x80\xa2   The FBI had not developed and implemented a data\n          architecture; and\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s major mainframe investigative systems were labor\n          intensive, complex, untimely, and non-user friendly, and few\n          agents used them.\n\n       In December 2002, the OIG issued The FBI\xe2\x80\x99s Management of\nInformation Technology Investment. The report made 30\nrecommendations and focused on the need to adopt sound investment\nmanagement practices as recommended by the GAO. The report also\nstated that the FBI did not fully implement the management processes\nassociated with successful IT investments. Specifically, the FBI had\nfailed to implement the following critical processes:\n\n\n\n\n                                   - 24-\n\x0c      \xe2\x80\xa2   defining and developing IT investment boards,\n\n      \xe2\x80\xa2   following a disciplined process of tracking and overseeing\n          each project\xe2\x80\x99s cost and schedule milestones over time,\n\n      \xe2\x80\xa2   identifying existing IT systems and projects,\n\n      \xe2\x80\xa2   identifying the business needs for each IT project, and\n\n      \xe2\x80\xa2   using defined processes to select new IT project proposals.\n\n      In September 2003, the OIG issued The Federal Bureau of\nInvestigation\xe2\x80\x99s Implementation of Information Technology\nRecommendation, which outlined the FBI\xe2\x80\x99s continued need to address\nthe recommendations made by oversight organizations concerning its\nIT strategies. The report stated that although OIG audits found\nrepeated deficiencies in the FBI\xe2\x80\x99s IT control environment and lack of\ncompliance with information security requirements, the FBI leadership\nappeared to be committed to enhancing controls to ensure that\nrecommendations were implemented in a consistent and timely\nmanner. Additionally, the report noted that the FBI established a\nsystem to facilitate the tracking and implementation of OIG\nrecommendations.\n\n      In May 2004, the OIG issued The FBI DNA Laboratory: A Review\nof Protocol and Practice Vulnerabilities. In this report the OIG findings\nfocused on two general types of vulnerabilities that became apparent\nduring the review: (1) protocol vulnerabilities and practice, and\n(2) operational vulnerabilities. As a result of the vulnerabilities, one of\nthe 35 OIG recommendations was that the FBI Laboratory Division\nimplement an information management system. The OIG noted that\nlaboratory management had begun to lay the groundwork for the\nimplementation of a system in 2002. Given the benefits that such a\nsystem would bring to evidence tracking and chain-of-custody\ndocumentation, the OIG recommended the successful implementation\nof an information management system as one of the laboratory\xe2\x80\x99s top\nadministrative priorities.\n\n      In February 2006, the OIG issued The FBI\xe2\x80\x99s Pre-Acquisition\nPlanning for and Controls over the Sentinel Case Management System.\nSentinel is part of the FBI\xe2\x80\x99s IT modernization project to replace the\nFBI\xe2\x80\x99s antiquated case management system. The report noted the FBI\n\n\n                                   - 25-\n\x0chas taken steps to address its past mistakes in IT investments and to\nadequately plan for the development of Sentinel.\n\nExternal Reports on the FBI\xe2\x80\x99s IT\n\n       The GAO has issued several reports and related testimony that\nhighlight deficiencies with the FBI\xe2\x80\x99s IT environment. In a review of the\nDepartment\xe2\x80\x99s Campaign Finance Task Force, the GAO reported in May\n2000 that the FBI lacked an adequate information system that could\nmanage and interrelate the evidence that had been gathered in\nrelation to the Task Force\xe2\x80\x99s investigations. Also, as part of a\ngovernment-wide assessment of federal agencies, the GAO reported in\nFebruary 2002 that the FBI needed to fully establish the management\nfoundation that was necessary to successfully develop, implement, and\nmaintain an Enterprise Architecture.\n\n       In September 2003, the GAO issued Information Technology:\nFBI Needs an Enterprise Architecture to Guide Its Modernization\nActivities. This report reiterated the GAO\xe2\x80\x99s finding made in the May\n2002 report on the Department\xe2\x80\x99s Campaign Finance Task Force that\nthe FBI did not have an Enterprise Architecture, although it had begun\nefforts to develop one. Additionally, the GAO found that the FBI still\ndid not have the processes in place to effectively develop, maintain,\nand implement an Enterprise Architecture.\n\n      In September 2004, the GAO issued Information Technology:\nFoundational Steps Being Taken to Make Needed FBI Systems\nModernization Management Improvements. This report stated that\nalthough improvements were underway and more were planned, the\nFBI did not have an integrated plan for modernizing its IT systems.\nEach of the FBI\xe2\x80\x99s divisions and other organizational units that manage\nIT projects performed integrated planning for its respective IT\nprojects. However, the plans did not provide a common, authoritative,\nand integrated view of how IT investments could help optimize mission\nperformance, and they did not consistently contain the elements\nexpected to be found in effective systems modernization plans. The\nGAO recommended that the FBI limit its near-term investments in IT\nsystems until it developed an integrated systems and modernization\nplan and effective policies and procedures for systems acquisition and\ninvestment management. Additionally, the GAO recommended that\nthe FBI\xe2\x80\x99s Chief Information Officer (CIO) be provided with the\nresponsibility and authority to effectively manage information\ntechnology FBI-wide.\n\n                                 - 26-\n\x0c      In September 2005, the GAO issued Information Technology:\nFBI Is Taking Steps to Develop an Enterprise Architecture, but Much\nRemains to be Accomplished. This report stated that the FBI managed\nits Enterprise Architecture program in accordance with many best\npractices, but other such practices had yet to be adopted. These best\npractices, which are described in GAO\xe2\x80\x99s Enterprise Architecture\nmanagement maturity framework, are those necessary for an\norganization to have an effective architecture program. In addition,\nthe FBI relied heavily on contractor support to develop its Enterprise\nArchitecture. However, it did not employ effective contract\nmanagement controls in doing so.\n\n      In September 2005, the GAO issued testimony entitled,\nInformation Technology: FBI is Building Management Capabilities\nEssential to Successful System Deployments, but Challenges Remain.\nThis testimony stated that the FBI had made important progress in\nestablishing IT management controls and capabilities that GAO\xe2\x80\x99s\nresearch and experience show are key to exploiting technology to\nenable transformation. These included centralizing IT responsibility\nand authority under the CIO and establishing and beginning to\nimplement management capabilities in the areas of enterprise\narchitecture, IT investment management, systems development and\nacquisition life cycle management, and IT human capital. In addition:\n\n     \xe2\x80\xa2   The FBI had developed an initial version of its enterprise\n         architecture and is managing its architecture activities in\n         accordance with many key practices, but it had yet to adopt\n         others (such as ensuring that the program office has staff\n         with appropriate architecture expertise).\n\n     \xe2\x80\xa2   The FBI was in the process of defining and implementing\n         investment management policies and procedures. For\n         example, it was performing assessments of existing systems\n         to determine if any could be better used, replaced,\n         outsourced, or retired, but these assessments had yet to be\n         completed.\n\n     \xe2\x80\xa2   The FBI had issued an agency-wide standard life cycle\n         management directive, but it had yet to fully implement this\n         directive on all projects. Also, certain key practices, such as\n         acquisition management, required further development.\n\n\n\n                                  - 27-\n\x0c\xe2\x80\xa2   The FBI had taken various steps to bolster its IT workforce,\n    but it had yet to create an integrated plan based on a\n    comprehensive analysis of existing and needed knowledge,\n    skills, and abilities. According to the CIO, the FBI intended to\n    hire a contractor develop an implementation plan. The CIO\n    also intended to establish a management structure to carry\n    out the plan.\n\n\xe2\x80\xa2   The challenge for the FBI is to build on these foundational\n    capabilities and implement them effectively on the program\n    and project investments it has underway and planned.\n\n\n\n\n                             - 28-\n\x0c                                                          APPENDIX 4\n\n        THE FBI\xe2\x80\x99S LIFE CYCLE MANAGEMENT DIRECTIVE\n\n       According to the FBI\xe2\x80\x99s Chief Information Officer (CIO), since the\ninception of the Life Cycle Management Directive (LCMD), all FBI\ninformation technology (IT) programs and projects have been\nreviewed and managed according to the processes described in the\nLCMD. New IT programs and projects have been managed according\nto this IT Systems Life Cycle from inception and will be managed\nthrough retirement or replacement, while existing IT programs and\nprojects are reviewed and placed within an appropriate IT Systems Life\nCycle phase according to their maturity and other factors.\n\nSystems Life Cycle Phases\n\n      The LCMD has established nine phases that occur during the\ndevelopment, implementation, and retirement of IT projects. During\nthese phases, specific requirements must be met for the project to\nobtain the necessary FBI management approvals to proceed to the\nnext phase. The approvals occur through seven control gates, where\nmanagement boards meet to discuss and approve or disapprove a\nproject\xe2\x80\x99s progression to future phases of development,\nimplementation, or retirement. The nine phases of development,\nimplementation, and retirement are as follows:\n\n      Concept Exploration \xe2\x80\x94 Identifies the mission need, develops and\n      evaluates alternate solutions, and develops the business plan.\n\n      Requirements Development \xe2\x80\x94 Defines the operational, technical\n      and test requirements, and initiates project planning.\n\n      Acquisition Planning \xe2\x80\x94 Allocates the requirements among the\n      development segments, researches and applies lessons learned\n      from previous projects, identifies potential product and service\n      providers, and secures funding.\n\n      Source Selection \xe2\x80\x94 Solicits and evaluates proposals and selects\n      the product and service providers.\n\n      Design \xe2\x80\x94 Creates detailed designs for system components,\n      products, and interfaces and initiates test planning.\n\n\n\n\n                                 - 29-\n\x0c     Development and Test \xe2\x80\x94 Produces and tests all system\n     components, assembles and tests all products, and plans for\n     system testing.\n\n     Implementation and Integration \xe2\x80\x94 Executes functional,\n     interface, system, and integration testing, provides user training,\n     and accepts and transitions the product to operations.\n\n     Operations and Maintenance \xe2\x80\x94 Maintains and supports the\n     product, and manages and implements necessary modifications.\n\n     Disposal \xe2\x80\x94 Shuts down the system operations and arranges for\n     the orderly disposition of system assets.\n\nControl Gate Reviews\n\n       The seven control gate reviews provide management control and\ndirection, decision-making, coordination, confirmation of successful\nperformance of activities, and determination of a system\xe2\x80\x99s readiness to\nproceed to the next life cycle phase. Decisions made at each control\ngate review dictate the next step for the IT program or project and\nmay include: allowing an IT program or project to proceed to the next\nsegment or phase, directing rework before proceeding to the next\nsegment or phase, or terminating the IT program or project. The FBI\xe2\x80\x99s\nInvestment Project Review Board (IMPRB) \xe2\x80\x94 comprised of 12\nrepresentatives from each FBI division at the Assistant Director level\nand 4 representatives from the Office of the Chief Information Office,\nincluding the CIO \xe2\x80\x94 is responsible for approving an IT project\xe2\x80\x99s\npassing through each control gate. The seven control gate reviews\nthat represent the approval of an IT project are as follows:\n\n     Gate 1 \xe2\x80\x94 System Concept Review approves the recommended\n     system concept of operations.\n\n     Gate 2 \xe2\x80\x94 Acquisition Plan Review approves the Systems\n     Specification and Interface Control documents and the approach\n     and resources required to acquire the system as defined in the\n     Acquisition Plan.\n\n     Gate 3 \xe2\x80\x94 Final Design Review approves the build-to and code-to\n     documentation and associated draft verification procedures,\n     ensures that the design presented can be produced and that\n     when built is expected to meet its design-to specification at\n     verification.\n\n                                 - 30-\n\x0c      Gate 4 \xe2\x80\x94 Deployment Readiness Review approves the readiness\n      of the system for deployment in the operational environment.\n\n      Gate 5 \xe2\x80\x94 System Test Readiness Review verifies readiness to\n      perform official system-wide data gathering verification testing\n      for either qualification or acceptance.\n\n      Gate 6 \xe2\x80\x94 Operational Acceptance Review approves overall\n      system and product validation by obtaining customer acceptance\n      and determining whether the Operations & Maintenance\n      organization agrees to, and has the ability to, support\n      continuous operations of the system.\n\n      Gate 7 \xe2\x80\x94 Disposal Review authorizes termination of the\n      Operations and Maintenance Phase and disposes of system\n      resources.\n\n      At each control gate, executive-level reviews determine system\nreadiness to proceed to the next phase of the IT systems life cycle.\nEvidence of readiness is presented and discussed at each control gate\nreview in the form of deliverables, checklists, and documented\ndecisions. Regardless of the development model used for a particular\nprogram or project, all control gate reviews should be performed\nunless an agreement is made to skip or combine reviews. Depending\nupon the development model employed, programs or projects may\npass through the control gates more than once.\n\n      The control gate reviews also provide executive-level controls to\nensure that IT projects are adequately supported and reviewed before\na project receives additional funding. Five executive-level review\nboards serve as the decision authority for the control gate reviews:\n\n      \xe2\x80\xa2   Investment Management Project Review Board (IMPRB) leads\n          the System Concept Review and the Acquisition Plan Review\n          and ensures all IT acquisitions are aligned and comply with\n          FBI policies, strategic plans, and investment management\n          requirements.\n\n      \xe2\x80\xa2   Technical Review Board leads the Final Design Review and\n          ensures IT systems comply with technical requirements and\n          meet FBI needs.\n\n      \xe2\x80\xa2   Change Management Board leads the Deployment Readiness\n          Review, System Test Readiness Review, Operational\n          Acceptance Review, and the Disposal Review, and controls\n                                 - 31-\n\x0c          and manages developmental and operational efforts that\n          change the FBI's operational IT environment.\n\n      \xe2\x80\xa2   Enterprise Architecture Board ensures IT systems comply with\n          Enterprise Architecture requirements.\n\n      \xe2\x80\xa2   IT Policy Review Board establishes, coordinates, maintains\n          and oversees implementation of IT policies.\n\nLCMD Project-Level Reviews\n\n      Project-level reviews help determine a project\xe2\x80\x99s readiness to\nproceed to the next phase of the project life cycle. Each project-level\nreview provides information to the executive-level control gates as\ndata is developed and milestones are completed. They include the\nfollowing:\n\n      \xe2\x80\xa2   Mission Needs Review is a technical progress review that\n          approves the set of mission goals that will be satisfied\n          throughout the project.\n\n      \xe2\x80\xa2   System Specification Review is a technical progress review to\n          approve the System Specification and External Interface\n          Control Documents. The review is the decision point to\n          proceed with the development of an Acquisition Plan, the\n          allocation of system requirements to segment specifications,\n          and the development of Project Plans that will execute the\n          acquisition.\n\n\n\n\n                                  - 32-\n\x0c                                 APPENDIX 5\n\nTHE FBI\xe2\x80\x99s RESPONSE TO THE DRAFT REPORT\n\n\n\n\n              - 33-\n\x0c- 34-\n\x0c- 35-\n\x0c- 36-\n\x0c- 37-\n\x0c- 38-\n\x0c- 39-\n\x0c                                                        APPENDIX 6\n\nOFFICE OF THE INSPECTOR GENERAL ANALYSIS AND SUMMARY\n         OF ACTIONS NECESSARY TO CLOSE REPORT\n\n       The OIG provided a draft of this audit report to the FBI on\nApril 28, 2006, for its review and comment. The FBI provided a\nwritten response, dated May 31, 2006, which we included as\nAppendix 5 of this final report. The FBI concurred with the three\nrecommendations in the audit report and also provided comments\nregarding three general issues in the report. Our analysis of the FBI\xe2\x80\x99s\nresponse follows.\n\nFBI\xe2\x80\x99s General Comments\n\n      1. In its response, the FBI states that the purpose of LIMS was\nto enhance the processes and procedures currently in place in the\nlaboratory by improving efficiencies and automation. Although we\nagree with this statement, it does not reflect the full impact that the\nimplementation of the LIMS project would have had on the laboratory.\nAs noted in the report, laboratory officials stated that the paper-based\nsystem currently being used by the laboratory is very limited in what\ninformation it can provide to enhance the management of evidence as\nit passes through the laboratory. LIMS would have allowed the FBI to\nelectronically trace evidence as it passes through the lab and provide\nworkflow data needed to better manage the laboratory.\n\n       The FBI\xe2\x80\x99s response also states that our report implies the\nlaboratory\xe2\x80\x99s operations are not effective or adequate and points out\nthat the FBI\xe2\x80\x99s laboratory is one of the largest and most comprehensive\nforensic laboratories in the world. Our audit report recognizes the\nsignificant amount of work performed at the FBI laboratory and does\nnot question the work that is performed on evidence within the\nlaboratory. However, the size and scope of the laboratory do not\ndemonstrate the effectiveness or adequacy of the management of the\nevidence held within the laboratory. Our audit concludes that the\nmanagement of evidence as it passes through the laboratory would\nhave been significantly enhanced had a laboratory information\nmanagement system been fully and effectively implemented.\n\n      The FBI\xe2\x80\x99s response also states that improvements to the\nlaboratory\xe2\x80\x99s information management system are required, rather than\nthe establishment of a new system. The FBI is currently utilizing a\n                                 - 40-\n\x0cMicrosoft Access database to document when a piece of evidence is\nreceived, when a test has been completed on the evidence, and when\nit is released from the laboratory. However as pointed out in the\nreport, the release of a piece of evidence is not always documented\nadequately. As a result, laboratory management cannot determine\nwhat evidence is contained within the laboratory at any given point in\ntime. Additionally, the database system utilized by the laboratory also\ncannot reasonably pinpoint where a piece of evidence is at any given\npoint in time. While we agree that the laboratory has an information\nmanagement system in place, the system has limited functionality.\nThis limited functionality led the FBI to enter into the LIMS contact to\nacquire a more effective system. We believe that the FBI either needs\nto make significant improvements to the existing information\nmanagement system or acquire a new system that provides laboratory\nmanagement the ability to more effectively manage laboratory\noperations.\n\n      2. The FBI response states that our report implies the FBI had\nsingular control over the system development and process, although\nthe report acknowledges that the vendor also bears some\nresponsibility for the project\xe2\x80\x99s difficulties. As the response suggests,\nour audit found that both the FBI and the contractor were responsible\nfor the outcome of the LIMS project. However, the FBI was solely\nresponsible for establishing the system requirements and ensuring that\nthe contractor met those requirements. We noted in the report that\nthe FBI has recently made significant strides in the development and\nmanagement of information technology projects. However, the LIMS\nproject did not benefit from these new management practices.\n\n      The FBI\xe2\x80\x99s response also notes that the contract termination\nsettlement is far less than the full contract amount. We agree.\nHowever, the FBI incurred costs in addition to the settlement amount,\nsuch as the personnel involved in the development, management, and\ntermination of the project. More important is the fact that despite\nhaving worked on the development of an information management\nsystem since 1998 and reprogramming funds from other Laboratory\nDivision programs in order to pay for the project, the FBI\xe2\x80\x99s laboratory\nremains without a modern system.\n\n      3. The FBI requests that the vendor\xe2\x80\x99s name and specific dollar\namounts of the project be redacted from the report to protect the\nfuture business opportunities of the vendor and future requests for\nproposal issued by the FBI on similar projects. After careful review\n\n                                 - 41-\n\x0cand consideration of the FBI\xe2\x80\x99s request, we have decided to not redact\nthe information for the following reasons: (1) the contractor\xe2\x80\x99s name\nand the dollar amounts paid to JusticeTrax are public information;\n(2) the public has a right to know the name of the system contractor;\nand (3) our report is clear that both the FBI and JusticeTrax were\nresponsible for contributing to LIMS\xe2\x80\x99 failed implementation. For\nexample, we fault the FBI for not adequately documenting system\nsecurity requirements and for its overall poor project management,\nand we fault JusticeTrax for not meeting the FBI's security\nrequirements once they were established and for not providing the\nweb-enablement capabilities for the LIMS software as required by the\ncontract. Therefore, we believe that our report is accurate as to which\nparty was responsible for the various system implementation failures.\nFinally, because the name of the contractor and the dollar amounts\npaid to it are public information, we do not agree that disclosing the\ninformation in this report is inappropriate or will have an effect on\nfuture FBI request for proposals.\n\nStatus of Recommendations\n\n1. Resolved. The FBI agrees with this recommendation. In its\nresponse to the draft report, the FBI states that the Laboratory, in\nconjunction with the Office of the Chief Information Officer (OCIO)\nbegan a Business Process Management initiative to focus on the\ndevelopment, improvement, and reengineering of processes that\ngovern the way laboratory services are provided. This\nrecommendation can be closed when we receive documentation\ndemonstrating that the FBI has considered whether a COTS workflow\nsystem or laboratory information management system in use or under\ndevelopment within the federal government will meet the needs of the\nFBI\xe2\x80\x99s laboratory.\n\n2. Resolved. The FBI agrees with this recommendation. In its\nresponse to the draft report, the FBI states that it is committed to\nensuring all current and future Laboratory Division information\ntechnology (IT) projects comply with OCIO IT management processes,\nincluding the Life Cycle Management Directive (LCMD). Additionally,\nthe FBI Laboratory Division has established a Project and Account\nManagement System (PAMS), which provides managers and users with\nreal-time, online financial information. PAMS is a centralized, remotely\naccessed, web-based system that captures, tracks, and manages the\nlaboratory\xe2\x80\x99s investments. This recommendation can be closed when\nwe receive documentation demonstrating that any project to provide a\n\n                                 - 42-\n\x0claboratory information management system not only follows the FBI\xe2\x80\x99s\nLCMD but is overseen by an experienced IT project manager.\n\n3. Resolved. The FBI agrees with this recommendation. In its\nresponse to the draft report, the FBI states that the Laboratory\nDivision is committed to ensuring that all current and future IT\nprojects comply with the FBI\xe2\x80\x99s OCIO IT management processes,\nincluding the LCMD. Additionally, the Laboratory Division established a\nMajor Acquisition Review Committee (MARC), comprised of the\nDivision\xe2\x80\x99s Deputy Assistant Directors, Section Chiefs, and the Unit\nChief of the Planning and Budget Unit. The MARC serves as the review\nentity for Live Cycle Phased Reviews, and reviews will be performed on\nall laboratory acquisition requests totaling $250,000 or more, all IT\nrequests totaling $50,000 or more, and all Laboratory Division projects\ntotaling $100,000 or more. This recommendation can be closed when\nwe receive documentation demonstrating that the FBI has established\ncost controls to ensure that training or other expenses are not incurred\nprematurely in the development of a successor to the LIMS project.\n\n\n\n\n                                 - 43-\n\x0c"